diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-04-20 09:01:33 -0500 |
---|---|---|
committer | Paul E. Murphy <murphyp@linux.vnet.ibm.com> | 2016-04-20 09:17:30 -0500 |
commit | d3d94abbe8af2aa6e3de6a85983b9f17070a7564 (patch) | |
tree | a62af71109ec79fc8376125276a867afce0f58ed | |
parent | 2eb35ebfb291f773c1ba7939601a049acb4f3706 (diff) | |
download | glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.tar glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.tar.gz glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.tar.bz2 glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.zip |
CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
The defensive copy is not needed because the name may not alias the
output buffer.
(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | resolv/nss_dns/dns-network.c | 5 |
3 files changed, 9 insertions, 5 deletions
@@ -1,3 +1,10 @@ +2016-04-20 Florian Weimer <fweimer@redhat.com> + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-04-19 Florian Weimer <fweimer@redhat.com> [BZ #19791] @@ -27,7 +27,7 @@ Version 2.18.1 15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946, 15996, 16009, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617, 16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17269, - 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018. + 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018, 19879. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 7507f8c467..a6593c55c8 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL); if (anslen < 0) { |